[squid-users] How to definitively disable IPv6
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 25 16:00:18 UTC 2019
On 25/01/19 11:29 pm, Troiano Alessio wrote:
> Hello,
>
> I need to definitively solve the ipv6 (un)reachbility issue.
>
> I state I read this topic:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/dns-v4-first-on-ignored-td4658427.html
> but not found a solution. Amos wrote “Squid tests for IPv6 ability
> automatically by opening a socket on a private IP address, if that works
> the socket options are noted and used.”
>
> Anyway I disable IPv6 on my Red Hat 7.4 with the following:
>
> net.ipv6.conf.all.disable_ipv6 = 1
>
> net.ipv6.conf.default.disable_ipv6 = 1
>
> net.ipv6.conf.bond0.disable_ipv6 = 1
>
> net.ipv6.conf.lo.disable_ipv6 = 1
>
IIRC there are boot options necessary so the machine kernel starts with
its IPv6 TCP stack disabled.
> Used the “dns_v4_first on” and also “tcp_outgoing_address 172.31.1.x
> all” on squid conf to force the use of IPv4.
Neither of which forces anything.
dns_v4_first influences the sorting order of DNS results provided to
Squids server selection logic. Services which are IPv6-only or whose
IPv4 are not working _will_ attempt to use IPv6.
NP: Please be aware that error pages only mention the *last* error to
be encountered. With dns_v4_first you will see an IPv6 address being
mentioned as not contactable. Because all the IPv4 failed (first) then
all the IPv6 failed (last).
tcp_outgoing_address only applies on protocols for which that address
is valid. Meaning the above only sets a particular address on IPv4
connections - it has no effect on IPv6 connections.
The only way to completely disable IPv6 is to build Squid with
--disable-ipv6.
>
> Anyway squid try to connect to the IPv6 address instead of IPv4 and I’m
> not able to reach it:
>
> C:\Users\atroiano>nslookup download.pdfforge.org
>
> Server: espevmdxxxx.xxxx.prv
>
> Address: 172.x.x.x
>
>
>
> Risposta da un server non autorevole:
>
> Nome: download.pdfforge.org
>
> Addresses: 2001:4860:4802:38::15
>
> 2001:4860:4802:34::15
>
> 2001:4860:4802:32::15
>
> 2001:4860:4802:36::15
>
> 216.239.32.21
>
> 216.239.38.21
>
> 216.239.36.21
>
> 216.239.34.21
>
Are any of those IPv4 addresses able to be connected to and fetched from
by processes on the Squid machine?
The squidclient tool can be used to probe individual server/IP for
issues fetching requests.
> [root at HUB-RM-PRX-03 ~]# tail -f /var/log/squid/rsa/access.log | grep
> pdfforge.org
>
> %SQUID-4: 172.31.x.x 49444 [25/Jan/2019:11:02:58 +0100] "GET
> http://download.pdfforge.org/download/pdfcreator/PDFCreator-stable
> HTTP/1.1" download.pdfforge.org - -
> "/download/pdfcreator/PDFCreator-stable" 503 text/html 4545 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101
> Firefox/64.0" TCP_MISS:HIER_DIRECT 2001:4860:4802:38::15 80 0
>
> Squid doesn’t try to connect to IPv4 addresses for this site and for
> many others.
>
I suspect Squid actually is, but not telling you everything it does to
retry different destination servers / IPs before it gets to the final
failure point.
Please check the mgr:ipcache log to see what IPs Squid has known for
that domain and which ones are flagged 'B' for broken/bad/failing.
Amos
More information about the squid-users
mailing list